OverviewThis document is provided as an overview of the security features available in the HP Systems InsightManager (HP SIM) framework. More detailed documentation can be found in the HP Systems InsightManager Technical Reference Guide.Architecture overviewHP SIM runs on a central management server (CMS) and communicates with managed systems usingvarious protocols. The customer can browse to the CMS or directly to the managed system.

Figure 1. Architecture overview

Communication protocolsSimple Network Management Protocol (SNMP)SNMP v1 is one of the primary protocols used to gather data about systems. SNMP traps are used tonotify HP SIM of status changes or other events on a system. SNMP is not a guaranteed protocol;there are no assurances that any request, response, or trap will reach its destination. SNMP security islimited to a clear-text community string included with the request, similar to a password. SNMP data isnot encrypted, so the entire payload can be easily snooped on the network.The operating system of the managed system may provide additional security capabilities for SNMPsuch as IP address restrictions for valid requests.Hyper Text Transfer Protocol (HTTP)HTTP is another primary protocol used to acquire data about managed systems during identification.HTTP is not a secure protocol and can be easily viewed on the network. The secure version of HTTP iscalled HTTPS and is described later.Web-Based Enterprise Management (WBEM)WBEM is another protocol used to acquire data about managed systems. It is primarily XML overHTTP or HTTPS.

Desktop Management Interface (DMI)DMI is a legacy protocol for management data and has been largely superseded by WBEM. DMI isbased on Distributed Computing Environment Remote Procedure Call (DCE/RPC) and is not secure.Remote Method Invocation (RMI)Java™ RMI is used within the CMS only for inter-process communication.Remote Wake-UpRemote Wake-Up refers to the ability to remotely turn on a system that is in a soft-off power state.Systems that support the Advanced Configuration and Power Interface (ACPI) should be awakenedtransparently by any network activity to the system. Alternatively, a system might support the MagicPacket technology. When a system is turned off, the Magic Packet–capable network interface card(NIC) is still powered on and monitoring traffic. If it receives the Magic Packet targeting it, the systemwill be powered on.Internet Control Message Protocol (ICMP)ICMP is used during automatic system discovery and prior to other requests to a system to ensure thesystem is responding. An ICMP echo request, also known as a ping, is sent to the system’s IP address.Receipt of a proper reply indicates the system is up and responding.Note: HP SIM can be configured to use TCP as a ping, instead of ICMP, from the Global ProtocolSettings page.Lightweight Directory Access Protocol (LDAP)LDAP 3 is used during execution of a Directory Group tool to communicate with the configureddirectory server to collect information about systems configured in the directory.Simple Object Access Protocol (SOAP)SOAP is used by partner applications to communicate with HP SIM. It is primarily XML over HTTPS.Securing communicationSecure Sockets Layer (SSL)SSL is an industry-standard protocol for securing communications across the Internet. It provides forencryption to prevent eavesdropping as well as data integrity to prevent modification, and it can alsoauthenticate both the client and the server, leveraging public-key technology. All communicationsbetween the browser and the CMS are protected by SSL. HP SIM supports both SSL 3 and TransportLayer Security (TLS) 1.0.Secure Shell (SSH)SSH is an industry-standard protocol for securing communications. It provides for encryption toprevent eavesdropping plus data integrity to prevent modification, and it can also authenticate boththe client and the server utilizing several mechanisms, including key-based authentication. HP SIMsupports SSH 2.

HTTPSHTTPS (Hyper Text Transfer Protocol Secure) refers to HTTP communications over SSL. Allcommunications between the browser and HP SIM are carried out over HTTPS. HTTPS is also used formuch of the communication between the CMS and the managed system.Secure Task Execution and Single Sign-OnSecure Task Execution (STE) is a mechanism for securely executing a command against a managedsystem using the Web agents. It provides authentication, authorization, privacy, and integrity in asingle request. Single Sign-On provides the same features but is performed when browsing a system.Secure Task Execution and Single Sign-On are implemented in very similar ways. SSL is used for allcommunication during the STE and Single Sign-On exchange. A single-use value is requested from thesystem prior to issuing the STE or Single Sign-On request to help prevent against replay or delayintercept attacks. Afterwards, HP SIM issues the digitally signed Secure Task Execution or Single Sign-On request. The managed system uses the digital signature to authenticate the HP SIM server. Notethat the managed system must have a copy of the CMS SSL certificate imported into the Web agentand be configured to trust by certificate to validate the digital signature. SSL can optionallyauthenticate the system to HP SIM, using the system’s certificate, to prevent HP SIM from inadvertentlyproviding sensitive data to an unknown system.Note to Insight Manager 7 users: Insight Manager 7 used the Automatic Device Authenticationsetting to control STE and Single Sign-On access levels; these are replaced by tools in the new HPSIM authorization model. Any tool that requires STE access to the Web Agents includes it implicitly.For Single Sign-On to Web Agents, the Replicate Agent Settings and Install Software and Firmwaretools each provide administrator-level access to the Web Agents. System Management HomepageAs Administrator, System Management Homepage As Operator, and System ManagementHomepage As User each provide Single Sign-On access at the described level.Distributed Task FacilityThe Distributed Task Facility (DTF) is used for Custom Command tools and multiple- and single-systemaware tools. Commands are issued securely to the managed system using SSH. Each managedsystem must have the CMS SSH public key in its trusted key store so that it can authenticate the CMS.Managed systems are also authenticated to the CMS by their SSH public key.Privilege Elevation: In HP SIM 5.3, the Privilege Elevation feature allows tools to be run againstHP-UX, Linux, and ESX managed systems by first signing in as a non-root user, and then requestingprivilege elevation to run root-level tools. This can be configured under Options->Security->Privilege Elevation.Note to HP Servicecontrol Manager Users: SSH replaces the existing signed RMI connections usedby the DTF in HP Servicecontrol Manager. This adds a level of encryption and data integrity oversigned RMI that was previously only available through the use of a secure network protocol such asIPSec.WBEMAll WBEM access is over HTTPS for security. HP SIM is configured with a user name and passwordfor WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using itsSSL certificate.

LDAPWhen configured to use a directory service, HP SIM can be configured to use LDAP with SSL (default)or without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL in MicrosoftActive Directory, refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;321051.Additionally, the directory server can be authenticated using the Trusted Certificate list in HP SIM.RMIJava RMI is secured by requiring digitally signed requests using the CMS private key, which shouldonly be available to the local system. All communications use localhost to prevent the communicationfrom being visible on the network.Credential managementSSL certificatesCertificates generated by HP SIM and the Web Agents are self-signed. Public Key Infrastructure (PKI)support is provided so that certificates may be signed by an internal certificate server or a third-partyCertificate Authority (CA). The HP SIM certificate supports multiple names to help alleviate name-mismatch warnings in a browser.There are several certificates used by HP SIM. The certificate described above is the main certificateand is used by the HP SIM SSL web server, the partner application SOAP interface, and the WBEMindications receiver. This is the certificate used to authenticate HP SIM, if necessary, in the browser, inpartner applications that communicate with HP SIM through SOAP, and in WBEM agents that deliverindications to HP SIM. This certificate is also configured in managed systems (for example, SMH, OA,iLO, SE, CV) to enable a trust relationship with the managed system for Single Sign-On (SSO). Aseparate certificate in HP SIM is used for authenticating HP SIM to HP-UX WBEM Services 2.5 andlater, when configured to do so for the WBEM protocol. Certificates from managed systems can beimported into the HP SIM Trusted Certificates list, allowing HP SIM to authenticate those systems. Seethe section How-to: lockdown versus ease of use.Certificate sharingHP SIM supports a mechanism whereby other components installed on the system can use the samecertificate and private key, facilitating authentication of the system as a whole instead of eachindividual component. This is currently used by the Web Agents and the WBEM components on theCMS.SSH keysAn SSH key-pair is generated during initial configuration. The CMS public key is copied to themanaged system using the mxagentconfig tool. This key-pair is not the same as for SSL andrequires a manual process to regenerate a new pair. See to the manpages or online documentationfor mxagentconfig for more details. See the Secure Shell (SSH) in HP SIM 5.x white paper formore information (http://h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.html).PasswordsPasswords configured on the HP SIM System Credentials and Global Credentials pages arestored in the database encrypted using 128-bit Blowfish. These passwords can be further managedusing the CLI command mxnodesecurity. A few passwords might be stored in a file on the CMSthat are also encrypted using the same 128-bit Blowfish key. These passwords can be managed using

the mxpassword command. The password file and the Blowfish key file are restricted withoperating system file permissions to administrators or root.Prior to HP SIM 5.3, passwords configured on the HP SIM protocol settings pages are stored in alocal file on the CMS, restricted with operating system file permissions to administrators or root. Thesepasswords can be further managed using the mxnodesecurity command.Configuring managed systemsManage communicationsThe Manage Communications tool can be used to diagnose and repair communication problemsbetween HP SIM and managed systems. If communication problems are detected that might affectidentification, receiving events, running tools, or version control, they are listed for each system. Youcan then reconfigure certain communication settings and credentials and install agents on targetsystems.System credentialsThe System Credentials tool in HP SIM 5.3 can be used to view credentials that are in use for eachmanaged system; these are credentials that are known to work for the system. You can also configurecredentials for each protocol used by HP SIM to communicate with managed systems.Agent installationIn a Windows environment, the Initial ProLiant Support Pack Install tool can be used to install SystemsManagement Homepage (SMH), which is pre-configured to trust HP SIM along with other settings.Additionally, it can install and configure SSH (the Install OpenSSH tool can also be used).Agent configurationThe Configure or Repair Agents tool can be used to install agents on the managed system, or just toconfigure the systems. The Replicate Agent Settings tool replicates SMH settings from one system toother systems.AuthorizationsAn authorization in HP SIM defines which tools a user can operate against which systems. A systemlist displays only systems for which the user is authorized. Similarly, only authorized tools aredisplayed on the menu.Prior to HP SIM 5.2, configuration rights defined what actions a user could perform within HP SIM.For example, managing tasks, collections, events, discovery, reports, and so on. Many of theseactions are now individual tools contained in the Full Rights and Limited Rights toolboxes. The abilityto configure CMS security settings, such as user accounts, authorizations, tool boxes, certificates, SSHkeys, and so on, require the configure CMS security right.BrowserSSLAll communication between the browser and the CMS or any managed server occurs using HTTPSover SSL. Any navigation using HTTP (not using SSL) is automatically redirected to HTTPS.

CookiesAlthough cookies are required to maintain a logged in session, only a session identifier is maintainedin the cookie. No confidential information is in the cookie. The cookie is marked as secure, so it isonly transmitted over SSL.PasswordsAny password fields displayed by HP SIM do not display the password. Passwords between thebrowser and the CMS are transmitted over SSL.Browser warningsThere are several types of warnings that can be displayed by the browser or by the Java plug-in onthe browser, most having to do with the SSL server certificate.Untrusted systemThis warning indicates the certificate was issued by an untrusted system. Since certificates are bydefault self-signed, this is likely if you have not already imported the certificate into your browser. Inthe case of CA-signed certificates, the signing root certificate must be imported. The certificate can beimported before browsing if you have obtained the certificate by some other secure method. Thecertificate can also be imported when you get the warning, but is susceptible to spoofing since thehost system is not authenticated. Do this if you can independently confirm the authenticity of thecertificate or you are comfortable that the system has not been compromised.Invalid certificateIf the certificate is invalid because it is not yet valid or it has expired, it could be a date or timeproblem, which could be resolved by correcting the system’s date and time. If the certificate is invalidfor some other reason, it might need to be regenerated.Host name mismatchIf the name in the certificate does not match the name in the browser, you might get this warning. Thiscan be resolved by browsing using the system’s name as it appears in the certificate, for example,marketing1.ca.hp.com or marketing1. The HP SIM certificate supports multiple names to helpalleviate this problem. Refer to the System link format section below for information on changing theformat of names created in links by HP SIM.Signed appletPrevious versions of HP SIM use a Java plug-in that can additionally display a warning about trustinga signed applet. Those previous versions of HP SIM use an applet signed by Hewlett-PackardCompany, whose certificate is signed by Verisign.Browser sessionBy default, HP SIM does not time-out a user session while the browser is displaying the HP SIMbanner. This is known as monitor mode, and allows a continuous monitoring of the managed systemswithout any user interaction. The session times-out after 20 minutes if the browser is closed ornavigates to another site.An active mode is also supported where the session times out after 20 minutes if the user does notinteract with HP SIM, by clicking a menu item, link or button. You can enable active mode by editingthe globalsettings.props file and change the EnableSessionKeepAlive setting to false.

Best security practices include care when visiting other websites. You should use a new browserwindow when accessing other sites; when you are finished using HP SIM you should both sign outand close the browser window.Internet Explorer zonesInternet Explorer supports several zones that can each be configured with different security settings.The name used to browse to HP SIM or managed systems can affect which browser zone InternetExplorer places the system. For example, browsing by IP address or full Domain Name System (DNS)(for example, hpsim.mycorp.com) can place the system into the browser’s more restrictive Internetzone, causing improper operation. Ensure systems are being placed into the correct Internet zonewhen browsing. You might need to configure Internet Explorer, or use a different name format whenbrowsing.System link formatTo facilitate navigation to managed systems, HP SIM provides the System Link Configurationoption to configure how links to managed systems are formed. Go to OptionsSecuritySystemLink Configuration.Three options are available:• Use the system name• Use the system IP address• Use the system full DNS nameIf you need full DNS names to resolve the system on your network, keep in mind that the browsermight display a warning if the name in the system’s certificate does not match the name in thebrowser.Operating-system dependenciesUser accounts and authenticationHP SIM accounts are authenticated against the CMS host operating system. Any operating systemfeatures that affect user authentication affect signing into HP SIM. The operating system of the CMScan implement a lock-out policy to disable an account after a specified number of invalid sign inattempts. Additionally, an account can be manually disabled in the Microsoft Windows domain. Anyaccount that cannot authenticate against the operating system prevents signing into HP SIM using thataccount. For automatic sign-in to HP SIM, user accounts must be domain accounts.Note: A user who is already signed into HP SIM is not re-authenticated against the operating systemuntil the next sign in attempt and continues to remain signed into HP SIM, retaining all rights andprivileges therein, until signing out of HP SIM.IMPORTANT: If creating operating system accounts exclusively for HP SIM accounts, give users themost limited set of operating system privileges required. Any root or administrator accounts should beproperly guarded. Configure any password restrictions, lock-out policies, and so on, in the operatingsystem.File systemAccess to the file system should be restricted to protect the object code of HP SIM. Inadvertentmodifications to the object code can adversely affect the operation of HP SIM. Malicious modification

can allow for covert attacks, such as capturing sign in credentials or modifying commands tomanaged systems. Read-level access to the file system should also be controlled to protect sensitivedata such as private keys and passwords, which are stored in a recoverable format on the file system.HP SIM does not store user account passwords for users signing into HP SIM.IMPORTANT: HP SIM sets appropriate restrictions on the application files. These restrictions shouldnot be changed because this could affect the operation of HP SIM or allow unintended access to thefiles.Background processesOn Windows, HP SIM is installed and runs as a Windows service. The service account requiresadministrator privileges on the CMS and the database, and can be either a local or a domainaccount. For automatic sign-in to HP SIM, a domain account must be used. On UNIX, HP SIM isinstalled and runs as daemons running as root.Windows CygwinThe version of Cygwin provided with the SSH server for Windows, for CMS and the managedsystems, has been modified with security enhancements to restrict access to the shared memorysegment. As a result, it does not interoperate with the generally available version of Cygwin. Onlyadministrative users can connect to a system running the modified SSH server.HP-UX/LinuxThe device /dev/random is used, if available on the CMS, as a source for random numbers withinHP SIM.DatabaseAccess to the database server should be restricted to protect HP SIM data. Specify appropriate non-blank passwords for all database accounts, including the system administrator (sa) account for SQLServer. Changes to the operating data, such as authorizations, tasks, and collection information, canaffect the operation of HP SIM. System data contains detailed information about the managedsystems, some of which might be considered restricted including asset information, configuration, andso on. Task data might contain extremely sensitive data, such as user names and passwords.SQL Server/MSDEHP SIM uses only Windows authentication with SQL Server and MSDE. The installation of MSDE withprevious versions of HP SIM creates a random password for the sa account, though it is not used forHP SIM.Remote SQL ServerSQL Server supports advanced security features, including SSL encryption during sign in and datacommunication. More information can be found in SQL Server documentation and the Microsoftwebsite.PostgreSQLPostgreSQL uses a password that is randomly generated when HP SIM is installed. This password canbe changed through the command line. Refer to the mxpassword reference for more information.

OracleThe Oracle database administrator must create a user (preferably with a non-blank password) for HPSIM to use when connecting to Oracle. The Oracle user must have, at the minimum, the Connect andDBA roles, which allow HP SIM to have the correct privileges to create and delete HP SIM tables andviews, along with read/write access to the HP SIM tables. Changes to the operating data, such asauthorizations, tasks, and collection information, can affect the operation of HP SIM. System datacontains detailed information about the managed systems, some of which might be consideredrestricted, including asset information, configuration, and so on. Task data can contain extremelysensitive data, such as user names and passwords.AuditingThe HP SIM audit log contains entries for important system activities, such as executed tasks,authorization modifications, user sign in and sign out, and so on. Tools by default are configured sothat results are logged to the audit log, but their tool definition files can be modified so that this is notthe case.Command-line interfaceMuch of HP SIM’s functionality can be accessed through the command line. To access the command-line interface, you must be logged on to the CMS using an operating system account that is a validHP SIM user account. That account’s authorizations and privileges within HP SIM apply to thecommand line interface as well.Note: On a Windows system, the operating system account must have administrator-level access onthe CMS for all of the commands to work properly.How-to: configuration checklistGeneral• Configure firewalls to allow desired ports/protocols.• Review lockdown versus ease of use.• After configuring the CMS and managed systems, run discovery on the CMS.Configure CMS• Inspect SSL server certificate and update if desired.• Configure passwords and SNMP community strings. See the Configuring the CMS for managedsystems section below.• Configure user accounts, based on operating system accounts that will access HP SIM.• Review and configure toolboxes if defaults are not appropriate.• Review and configure authorizations for users.• Configure system link configuration format.• Review audit log.Strong securityNote: See How-to: lockdown versus ease of use for more details• Enable Require Trusted Certificates, inspect and import desired system SSL certificates or rootsigning certificates.

• Require only known SSH keys, inspect and import desired system SSH public keys.Configure managed systems• Configure SNMP community strings, which are required at the CMS.• For WBEM on HP-UX and Linux, configure the WBEM password. This password is required at theCMS. For the highest level of security, a different user name and password can be used for eachmanaged system; each user name and password pair must be entered into the CMS to enableaccess.• The CMS requires a user name and password to access WMI data on Windows systems. Bydefault, a domain administrator account can be used for this, but you should use an account withlimited privileges for WMI access. You can configure the accounts accepted by each Windowsmanaged system by using the Computer Management tool:1.First select the WMI Control item2.Right-click WMI Control and select Properties3.Select the Security tab, select Root namespace, and click Security.4.Add a user to access WMI data along with their access rights. The enable account andremote enable permissions must be enabled for correct operation of HP SIM.5.The user name and password specified here must be configured in the CMS.• Set up user accounts for Insight Web Agents.• Add CMS SSH public key to the system’s trusted key store by running mxagentconfig on theCMS.• Configure trust relationship option for Insight Web Agents; import CMS SSL certificate if set to trustby certificate.Configuring the CMS for managed systemsThe CMS must be configured with the user name and password used for WBEM and WMI accessand for the SNMP community names. These can be set using the Global Credentials page if acommon user name and password or community name is used across all the systems in the network,or individually for systems using the System Credentials page. Both of these are accessible fromthe OptionsSecurityCredentials (OptionsProtocol Settings *) menu. The commandline tool mxnodesecurity can also be used to configure these settings. Refer to the man page oronline documentation for details.IMPORTANT: Any passwords specified in the Global Credentials (Global Protocol Settings *)page are used during system identification. Sensitive passwords, such as root or domain administratorpasswords, should not be specified here if there is a risk of sending these to untrustworthy systems.* For versions prior to HP SIM 5.3.How-to: lockdown versus ease of useModerateThe Insight Management Agents should be configured to trust by certificate. This requires distributingthe HP SIM certificate, which includes the public key, to all the managed systems. Once the systemshave been configured to trust the HP SIM system, they will accept secure commands from thatparticular system only.

This certificate can be distributed in a number of different ways including:1.Use the Web-based interface in an individual Insight Management Agent to specify theHP SIM system to trust. This causes the agents to pull the digital certificate from the HP SIMsystem immediately, enables you to verify it, and then sets up the trust relationship. While thisoption does have some limited vulnerability, it would be possible to spoof the HP SIM systemat the time the certificate is pulled and thus set up an unexpected trust relationship. However, itis reasonably secure for most networks.2.Import the HP SIM certificate during initial installation of the Insight Management Agents. Thiscan be done manually during an attended installation or through the configuration file in anunattended one. This method is more secure because there is little opportunity for the spoofingattack described above.3.If you have already deployed the Insight Management Agents, you can distribute the securitysettings file and the HP SIM certificate directly to the managed systems using OS security.IMPORTANT: When using the Trust by certificate option, the HP SIM SSL certificate must beredistributed if a new SSL certificate is generated for HP SIM. SSH on the managed systemnormally operates in a mode similar to trust by certificate in that it requires the SSH public keyfrom the CMS. Note that the SSH public key is not the same as the SSL certificate. The commandmxagentconfig is used on the CMS to copy the key to the managed system. This must be donefor each user account that is to be used on the managed system since the root or Administratoraccount is used by default.IMPORTANT: The HP SIM SSH public key must be redistributed if the SSH key-pair isregenerated.StrongThe strong security option lets you take advantage of every security feature. This option provides thehighest level of security available within the HP SIM security framework, but there are some additionalprocedural steps you must make in your server operations. Also, this option is facilitated by using yourown PKI that includes a certificate authority and certificate server.1.First, you must generate certificates from your certificate server for each managed system andthe HP SIM system. To do this, first generate a certificate signing request (CSR) from thevarious systems. This generates a PKCS#7 file. This file should then be taken to the certificateserver and signed, and then the resulting file (generally a PKCS#10 response) should beimported into the each managed system and the HP SIM system.

IMPORTANT: To maximize security, it is important that none of these steps be done over anetwork unless all communications are already protected by some other mechanism.Thus, in the case of the Insight Management Agents, a removable media (for example, USBthumb drive, floppy disk) should be taken directly to the managed system, have the PKCS#7file placed on it, and hand-carried to a secure system with access to the certificate server. ThePKCS#10 response file should similarly be placed on the removable media and returned tothe managed system to be imported into the Insight Management Agents.2.Take the root certificate (just the certificate, not the private key) of your certificate server andimport that into the HP SIM trusted certificate list. This allows HP SIM to trust all the managedsystems because they were signed with this root certificate.

3.Take the certificate from the HP SIM system and import it into the Insight Management Agentsof each system. This allows the managed systems to trust the HP SIM system. This certificatecan be distributed using any of the methods available to distribute the HP SIM certificate.However, the option to pull the certificate directly from the HP SIM system over the networkmust be avoided due to the potential man-in-the-middle attack.IMPORTANT: As in the Moderate option, you must redistribute the HP SIM SSL certificate tothe managed systems whenever a new HP SIM SSL certificate is generated.4.Once these steps have been completed, you can turn on the option in HP SIM to enableRequire Trusted Certificates. Select OptionsSecurityCertificatesTrustedSystemsTrusted Certificates (OptionsSecurityCertificates TrustedCertificates *). The warnings presented around this option make it clear that any managedsystem that does not have a certificate signed by your certificate server will not be sent securecommands from the HP SIM system, although it will be monitored for hardware status.5.For SSH, turn on the option to accept SSH connections only from specified systems. SelectOptionsSecurityCredentialsTrusted SystemsSSH Host Keys(OptionsSecuritySSH Keys *) and enable the option The central managementserver will accept an SSH connection only if the key is in list below. Afterwards,you must manually import each managed system’s public SSH key into the list of keys in HPSIM.Note: To configure this in previous version of HP SIM, add or modify the following line in Hmx.properties:MX_SSH_ADD_UNKNOWN_HOSTS=falseand then restart HP SIM.Afterwards, you must manually import each managed system’s public SSH key into the list ofkeys in HP SIM.* For versions prior to HP SIM 5.3Port listingThe following ports and protocols are used by the HP SIM solution. If you have an applicationfirewall, the core HP SIM process is mxdomainmgr, and the Distributed Task Facility (DTF) ismxdtf.

NOTES:1All ports are for TCP and UDP (except ICMP).2The CMS will normally have all managed system ports open, as the CMS is a managed system itself.Firewalls may be configured to block these ports if the CMS is not to be managed from anothersystem.3

RMI port is used within the CMS for inter-process communication. Connections from outside the CMSare not accepted, and firewalls may block this port.4

Many CMS outgoing ports are used for discovery.5The exact UDP/TCP ports used by DMI are dynamic and vary from system to system, but they tend tobe around 32,780 and higher.6Port number is configurable in mx.properties using MX_SOAP_PORT.7

NOTE:• Communication between browsers and the VMM Web Service uses HTTPS over port 50010.• Communication between the VMM Web Service and the VMM Service (both on theHP SIM CMS) uses SSL over port 1124.• Communication between the VMM Service and VMM agent (on virtual machine hosts) uses SSLover ports 1125 and 1126.• Communication between the VMM agent during a virtual machine move or copy operation uses SSLover port 1126.Integrated Lights-Out (iLO) portsThe following ports are used by iLO. Disabling certain features of iLO will affect the list of portsactually opened by iLO. Refer to the Integrated Lights-Out Security technology brief located at:http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf